PUIhoteles
ESEN Get started
PUI compliance
Connection to the PUI LawIdentity captureGuest registry
How it works
Query modelConnected to R2Security & encryption
For your hotel
No technical teamLlaveMX & e.firmaCompliance dashboard
By lodging type
HotelsHostelsMotelsAirbnb & short rentals
By situation
Hotels in Mexico CitySole proprietorSmall lodging
Compare
PUIhoteles vs ConectaPUIPUIhoteles vs PUIMexicovs Build it yourself
Learn
What is the PUI LawThe fine for not complyingBlogHelp center
Company
AboutContact
Pricing Get started
Compliance · PUI Law

The PUI Law for consultants: how to advise a lodging

A methodological guide for compliance consultants advising lodging establishments on the Single Identity Platform (PUI). Diagnosis of the current situation, enforceable requirements, a risk map and a practical roadmap to take a client from non-compliance to auditable compliance, based on the LGMDFP and its implementing rules.

Get startedCreate your demo

The engagement: what “complying with PUI” means for a client

The PUI (Single Identity Platform) derives from the General Law on the Forced Disappearance of Persons (LGMDFP). Its purpose is to locate missing persons, not to raise revenue or regulate tourism. For the consultant, this sets the first message to the client: the obligation cannot be negotiated through fiscal arguments nor diluted by the establishment’s size, because Article 12 Bis provides no exemptions.

Compliance breaks down into two concrete, verifiable duties: properly registering each guest’s identity and retaining it, and being able to respond, through interconnection, when authorities query a reported person. Everything else (electronic signature, digital identity, technical configuration) is instrumental to those two duties and should be presented to the client in that order of priority.

The value the consultant adds is not theoretical: it is turning a diffuse risk into an executable plan and retained evidence. The typical client does not know what data the rule requires, how to prove compliance, or which pieces depend on a manual still pending. The methodology that follows organizes that work into diagnosis, requirements, risks and a roadmap.

Initial diagnosis of the establishment

The questions that frame the first session with the client.

  1. Legal form and sizeDetermine whether it operates as an individual or a company, and its capacity. This defines the center of liability, not the existence of the obligation.
  2. How it registers guests todayReview whether it captures identity and how (notebook, sheet, system). Identify whether it stores CURP, document and nationality or only a name.
  3. Status of its digital credentialsVerify whether it holds a valid electronic signature and a configured digital identity, as these are interconnection requirements.
  4. Exposure to local regimesConfirm whether its state imposes additional registration or video-surveillance duties that run in parallel to the federal PUI.

Enforceable requirements the client must meet

The checklist the consultant translates into concrete deliverables.

Identity capture

Record of CURP, name, date of birth and document for each guest; for foreigners, passport or migratory form (FMM) and nationality.

Retained registry

The record must be kept current, retained securely and be exportable as evidence in response to a request.

Valid e.firma

The SAT electronic signature is one of the interconnection’s identification mechanisms; it must be obtained and valid.

Digital identity

The government’s free digital identity (LlaveMX) is used to access the portal and must be configured.

Data security

As personal data is involved, capture, storage and transmission must observe reasonable security measures.

Interconnection path

A query URL with JWT authentication and TLS transport, per Technical Manual v1.0, ready to switch on when enforceable.

Risk map: what to warn the client about in writing

The primary risk is the Article 43 Bis penalty: from 10,000 to 20,000 UMA, which with the 2026 UMA at $117.31 amounts to between $1,173,100 and $2,346,200 MXN per infraction. It is worth recording in writing that the penalty is set per infraction and not as a single annual fine, because that precision changes the client’s perception of aggregate exposure.

The second risk is evidentiary. Even where an establishment believes it registers its guests, if it does so in an open notebook or without retaining the data in exportable form, its ability to prove compliance in response to a request is fragile. The consultant should warn that retained evidence is as important as the act of registering.

The third risk is regulatory timing. Full interconnection depends on the SNIP Operations Manual, pending publication, which on release will open a 45-business-day window to request access. Recommending that the client wait for that manual before starting is a common mistake: identity registration is already mandatory and does not depend on it. The correct advice is to start capturing now and keep interconnection prepared.

Roadmap: from non-compliance to auditable compliance

The recommended sequence to bring a client to a defensible state.

  1. Phase 1 — Capture identity immediatelyRoll out the correct registration of CURP, document and nationality at check-in. It depends on no pending manual and reduces risk from day one.
  2. Phase 2 — Organize the registry and evidenceEnsure the record is retained, kept current and exportable, so the client can prove compliance.
  3. Phase 3 — Prepare digital credentialsObtain or validate the electronic signature and configure the digital identity, which are prerequisites for interconnection.
  4. Phase 4 — Activate interconnectionHave the query URL ready per the Technical Manual and switch it on when the SNIP Operations Manual permits.

Frequent consulting questions about the PUI Law

Where do I begin a client’s diagnosis?
With its legal form and size, how it registers guests today, and the status of its digital credentials (electronic signature and digital identity). That sets the starting point and shapes the roadmap. The obligation exists for every lodging, so size defines the risk, not the applicability.
What minimum requirements must the client meet?
Capture complete identity for each guest (CURP, name, date, document; for foreigners passport or FMM and nationality), retain the registry in exportable form, hold a valid electronic signature and digital identity, and have an interconnection path per Technical Manual v1.0.
What risk should I warn about in writing?
The Art. 43 Bis fine, from 10,000 to 20,000 UMA per infraction (between $1,173,100 and $2,346,200 MXN with the 2026 UMA), the evidentiary risk of not retaining exportable evidence, and the timing risk of waiting for the SNIP Operations Manual before starting to register.
Should the client wait for the pending manual?
Not for identity registration, which is already mandatory and does not depend on that manual. The advice is to start capturing immediately and keep interconnection prepared to activate when the SNIP Operations Manual is published, which will open 45 business days to request access.
Does the PUI replace the local registries my client already keeps?
No. The federal PUI obligation runs in parallel to any local registration or video-surveillance duties in the client’s state. Each regime is met separately; one does not evidence the other.
How does a tool like PUIhoteles fit into my advisory work?
PUIhoteles is a certified connector, connected to R2 OS in real time, covering identity capture, the exportable registry and interconnection, which lets the consultant deliver an auditable path to compliance. It costs $4,350 MXN setup and $930 MXN per month (plus VAT), with no lock-in.

Put PUIhoteles to work for you

Get started